I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

seek single sign-on, and Microsoft's Active Directory Federation Services is the traditional way to get it. But ADFS doesn't prevent login prompts in all applications; Outlook or Skype for Business users have to look elsewhere.

Businesses have a new option for SSO. Azure Active Directory (AD) Seamless SSO registers a special computer account in AD to act as a proxy so that Integrated Windows Authentication (IWA) -- which authorizes users -- works against specific URLs in Azure AD to sign a user in as if the URLs were an intranet site.

Administrators can configure Azure AD Connect, which integrates an on-premises directory with Azure AD, to perform Seamless SSO; set up an Office 365 tenant to support modern authentication; and, finally, examine the client experience.

Combine Azure Active Directory SSO with modern authentication, which enables features such as multifactor authentication and certificate-based authentication, to get a full SSO without ADFS. Modern authentication uses a web browser-based sign-in within the Office applications, which enables IWA to work.

Configure Azure AD Connect

To set up the feature, start with Azure AD Connect and password synchronization in place. Launch the Azure AD Connect configuration wizard, select the User Sign-Inoption and choose Enable single sign on, as shown in Figure 1.

Figure 1. Click on Enable single sign on to use Seamless SSO.

On the Enable single sign onpage shown in Figure 2, enter the domain administrator credentials to create the special computer account for Azure AD Connect in the local AD.

Complete the setup wizard. Once Azure AD Connect updates the configuration, verify that the new computer account has been created. Open Active Directory Users and Computers, navigate to the Computers container and look for a new computer for Azure Active Directory SSO, named AZUREADSSOACC:

Figure 3. Verify that the action created a new computer account named AZUREADSSOACC.

Set up the Office 365 tenant

To use the Seamless SSO service with Outlook and Skype for Business applications, enable the Office 365 tenant for modern authentication.

Connect with Exchange Online PowerShell and use administrative credentials, as such:

Invoke the Set-CsOAuthConfiguration cmdlet to enable Modern Authentication.

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

These are common steps to enable SSO with Windows 10 Azure AD-joined devices and ADFS.

If your organization uses Office 2013 with modern authentication enabled -- or Office 2016, which uses modern authentication if available -- then the system will prompt clients for a password until you have completed and tested the remainder of the steps.

Configure Intranet Zone settings

Azure Active Directory SSO requires an administrator to add two URLs to Internet Explorer's Local Intranet Zone on client PCs. This indicates to the client that the specific URLs are safe to use with IWA.

When you add these URLs to the Intranet Zone in Internet Explorer, Office clients -- including Outlook and Chrome -- inherit them.

To test the functionality, open the Internet Explorer options page, and on the Security tab, choose Local Intranet, then Sites and finally add the URLs, as shown in Figure 4.

Figure 4. Test that the two mandatory URLs for Azure AD's SSO service function in Internet Explorer.

Admins typically deploy these URLs via Group Policy. Open the Group Policy management tools for your domain, and either create or amend an existing policy for users who need SSO. Under the User Configurationsection, as seen in Figure 5, navigate to Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Select the Site to Zone Assignment List.

Figure 5. Create or adjust Group Policy for users who need SSO.

Add both site URLs to the Site to Zone Assignment List, with the URL as the Value name and the Value as 1, which indicates that the URL should be added to the Intranet Zone, as seen in Figure 6.

Figure 6. Add the value name and value for each URL to join the Intranet Zone.

What are the caveats?

Once Seamless SSO is configured and you've deployed supporting policies, the sign-in experience removes almost all areas where a user would enter his username and eliminates the need to enter credentials.

But in some scenarios the user needs to enter a username.

A username -- typically an email address -- is required to access some web-based services, including the Office 365 portal, OneDrive and SharePoint. However, after entering the username, the system won't prompt the user for a password.

Organizations that want to add both site URLs to the Site to Zone Assignment List with Microsoft Edge in Windows 10 have an additional step. Edge does not support Seamless SSO, and it might be necessary to configure Edge to use Internet Explorer for Intranet Zone URLs.

Add the Office 365 login page URL to the Intranet Zone to indicate when to use Internet Explorer, instead of native functionality. To ensure Edge launches Internet Explorer for these sites, change the same Group Policy, under Policies > Administrative Templates > Windows Components > Microsoft Edge and enable the policy to send all intranet sites to Internet Explorer 11.

The next-generation OneDrive client, which can sign into both consumer and business OneDrive services, is similar. On first entry, the user must enter a username to sign in but will not be prompted for a password.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.